If you have licensed a Flexera product that has provided access to Secunia Advisories, all use of Secunia Advisories is subject to your license agreement with Flexera. If you have not licensed a Flexera product that provides access to Secunia Advisories:
a) All use of Secunia Advisories is for non-commercial use only.
b) For further information, see the End User License Agreement or contact us.

Mozilla Firefox Multiple Vulnerabilities

Secunia Advisory SA38608

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Description

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to manipulate certain data, bypass certain security restrictions, disclose sensitive information, or compromise a user's system

Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to vuln@secunia.com

This report seems to be a hoax. At the Forum-Post, some users already write that the exploit does not work. Secunia seems to did not test it, but just used the information written by some unserious "russian security researcher" (aka. blackhat hacker) who wants to sell his product.

I noticed that there are no posts newer than Feb 4 on the VulnDisko thread where this was first announced. Posting stopped shortly after "Mario23" questioned the validity of this vulnerability claim because he couldn't duplicate it. This seems suspicious, yet Secunia grabbed it with both hands and ran with it.

Lack of co-operation on a security matter from whatever site has unpleasant overtones for me/us the common user . I feel fairly secure as I run my browsers in a sandbox ("Sandboxie") ; but I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .

Not just secunia, but everyone has taken this and run with it. It ends up being a kind of "slander" against firefox. I just received word about it in the SANS vulnerability newsletter today (http://www.sans.org/newsletters/risk/display.php?v...) [link will not be valid until they archive the newsletter, for some reason I can't find the current @RISK newsletter on their website.] Many of these alerts are reading "Vendor confirmed, updates available," but as far as I can see, this is neither vendor confirmed, nor are updates available at this point for ff 3.6.

@ TiMow: I've been sandboxing any browser I use for a very long time:). To be very honest, I don't think that anyone should downgrade because:

1. If it's affecting 3.6, it could be affecting 3.5 and earlier versions.
2. A good combination of addons like no script and safe browsing should take care of any threats around
3. Sandboxing the browser is one good step towards securing it.
4. To make things even more safer, I won't be doing stuff like netbanking or paying online bills (guess I'm more paranoid:) using Firefox.

If you can, please let me and others reading this thread on how exactly this vulnerability could affect users. That would be very,very helpful. Thanks!

I am unsure if your last question re. vulnerability was directed specifically at me, or the wider community in general.

As I implicated above,my feelings are to question the authenticity of this vulnerability, and not to prove its existence.

But I try to base my decisions / choices on the available information. If as PSI users we believe in the benefits that it offers in reporting on insecurities, then we should therefore act on the information provided - which is what I have done re. changing from 3.6 back to 3.5.8 - which as of a scan today, still shows as secure (according to Secunia).

But I too have seen reports telling of multiple vulnerabilities in other versions - 3.0, 3.5; and in one case listing 3.5.8.

I think there is a lot of scaremongering going on, and almost to levels of conspiring against Mozilla.

I take on board your other points, and this is the 2nd time that the issue of sandboxing has been brought up. As of yet I dont use one, but this will probably have to change. I also try to avoid add-on overload, but will look into your recommendations.

I am unsure if your last question re. vulnerability was directed specifically at me, or the wider community in general.

TiMow

@ TiMow: Yes, that's what I meant:)...Would really appreciate it if someone from Secunia or anyone reading this thread could throw some light on how exactly this vulnerability will/could affect users of Firefox 3.6.

I appreciate that Secunia flags the unconfirmed threat. A discussion is triggered which I find beneficial . For example now I will look into the option of instaling a sandbox sw although I am concerned of its effect on my already overloaded system.

Regarding the "fuss" about issueing alarms for unconfirmed threats or not, both sides of the question are right, In my view - and wish list - would be that Secunia inserts a further column in the Unsecure Overview Screen entitled "Confirmed/Unconfirmed Status" and that the concept of "confirmed" be explicitely stated eg, tested by Secunia or tested by other reliable organisation.

I want to know of possible security threats AND if they are confirmed or unconfirmed.

I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))

Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-

PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .

(unknown source)I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))

Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-

PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .

@ Anthony: You sound even more "paranoid" than me:)....But yes, it's each man for himself and each of us will have a different definition of what "computer security" is . I use a combination of Comodo Internet Security (just the firewall and Defense +) with Microsoft Security Essentials and gmer.

If I do have to run any unknown programs which I think could be a security risk, I use sandboxie.

I also do not store passwords relating to online banking. I simply store those in my pendrive.

This addon is best when it comes to auto login in Firefox (this is similar to Opera Wand):

Nice overkill :)) I should have mentioned that my ISP "gives" me a modem with a Hardware Firewall that Kiefer Sutherland and his team would be proud of cracking !!

I noticed you get around a bit , you started in "AX" and now you're in "IN" ; great stuff "IT" ; apparently I'm in "FR" wherever that is meant to be , the local wine is good which is all that matters :)

FF3.6 vs. FF3.5.8
FF3.6 reported as insecure (running 3.6)
FF3.5.8 reported as secure
If I revert to 3.5.8 then I have the Security Vulnerabilities in 3.5.8 that were fixed in 3.6
I'm at a loss to understand why Secunia reports FF3.5.8 as secure when FF3.6 fixed known security issues in 3.5.8http://www.mozilla.org/security/known-vulnerabilit...

How can or why should Secunia change their reporting....
as per this Secunia post below...Secunia has verified the threat....
as the threat has been verified by Secunia ....Secunia reported it and has no reason to modify their assessment. I hope Mozilla has reached out to Secunia.
Mozilla has been unable to verify the threat....Since Secunia has verified the threat...logically Mozilla would be reaching out to Secunia.
Question to Secunia: Has Mozilla asked for your help?
__________________________________________________ ___
E.Petersen Firefox patch
forgetaboutit45 24th Feb, 2010 08:42
Posts: 171
User Since: 1st Jul 2009
System Score: N/A
Location: Copenhagen, DK
Hi,
The Secunia researchers verify all exploits before issuing advisories.

Thanks for your feedback...I apologize I am unable to locate the info you post..
I do locate the following
Secunia Research Team

The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.

Since the inauguration of Secunia it has been our goal to be the most accurate and reliable source of Vulnerability Intelligence. We have achieved just that!

Being the world's best Vulnerability Intelligence source requires skilled and dedicated staff with a passion for vulnerabilities.

To reward our staff for their persistent efforts in verifying vulnerability reports and to ensure that they possess and hone their skills necessary to find vulnerabilities, we have awarded certain Secunia staff dedicated time to conduct vulnerability research.

The Secunia Research Team members spend some of their time researching various high-profile closed source and open source software using a variety of approaches, but focusing mainly on thorough code audits and Binary Analysis.

This allows them to sometimes discover hard-to-find vulnerabilities that are not normally found via e.g. fuzzing techniques and the approach has definitely paid off! Members of the Secunia Research Team have discovered critical vulnerabilities in many popular products from various vendors including: Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla, and Apple.
__________________________________________________ ______
I read no Secunia text to indicate that "verified" does not mean "verified"
I read no Secunia text to indicate that... The fact that the report has been verified does not mean that Secunia have tested the vulnerability, or been able to reproduce it.
__________________________________________________ __________
How might Secunia verify a report absent testing to reproduce it.
Why would Secunia issue an insecure that has not been tested , verified and reproduced.
Secunia clearly states their mission:
The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
Testing, Verifying, and Validating ~ As per Secunia the FF3.6 vulnerability has been tested , verified and validated.
My point is ~ How can / Why should Secunia change the insecure status of FF3.6 after all that testing, verifying and validating.
If Secunia processes are as diligently accurate as claimed then FF3.6 is insecure. Do you expect Secunia to rescind the insecure based on user complaints.
If I were Mozilla ... I would be reaching out to Secunia for help. Mozilla claims they are unable to gather any info from the person that reported the threat.
If Secunia has not reproduced this vulnerability then how can Secunia assign it a category level.
Mozilla is quiet and Secunia is sure they have a valid insecure Cat4 and reported as such.
Regards
bjm-
anytime Secunia official would care to chime in and correct / clarify this issue ...please !

Hover your mouse over the "Available in Customer Area" text next to the "Report Reliability" label, and read the tool-tip:

"Vulnerability reports may vary in reliability depending on the sources. Secunia always verify the reports and the majority of reports are also tested by Secunia staff. Based on the findings during the verification and testing we also determine a reliability rating. E.g. reports from Microsoft are considered trusted and will be used directly in a Secunia advisory, however, Secunia may still choose to conduct further technical analysis and enhance / update the advisory based on this analysis."

Pay particular attention to the second sentence:
"Secunia always verify the reports and the majority of reports are also tested ..."

In other words, they have verified that the report looks genuine, but have not necessarily tested or reproduced the alleged vulnerability.

I don't expect Secunia to remove a vulnerability report based on user complaints, but I would expect them to make it clear whether they have reproduced the vulnerability, or even seen a believable demonstration of it.

At the moment, FF3.6 is listed as insecure because one person has claimed to have a working exploit. No details or demonstration has been made available, so nobody has any way of knowing whether this is genuine or a hoax. Given that Firefox is open-source, I find it hard to believe that there is only one person devious enough to find this supposed bug!

Secunia has updated the links to include a blog post by the black hatter (who claimed to have discovered the vulnerability).

He says that the vulnerability does "exist" and furthermore he says "I've ignored emails from Nick Farrell and from Mozilla, please do not waste my and your time anymore".

In plain English, "I (may have ) found a vulnerability, however, since I'm a greedy guy:), I will not share this with Mozilla or the rest of the world. So if you want to know about it, pay up or shut up!"

However, he has also said "There are exists dozens of 0days in every browser, you can continue to use firefox as usual - I am writing this post using firefox.".

How nice:)....Bless you, sir!:)....So much for the open web.

Updated on March 7 2010: Looks like Evgeny Legerov has removed his blog about the Firefox Vulnerability. However, I've retrieved it through Google cache:)...For those interested here you go:

Hello RichardD & 0puns0r3s
Thank you for keeping this issue live....
Thank you for your informative helpful posts...
-------------------------------------------------- -
My purpose for posting Secunia's mission statement was to solicit a response from Secunia official to stand behind their statement.
"The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products"
-------------------------------------------------- ----
The above Secunia statement in no way suggests that Secunia has only verified that the report looks genuine, but may have not necessarily tested or reproduced the alleged vulnerability. The Secunia mission statement text asserts - testing, verifying, and validating public vulnerability reports, also conducting their own vulnerability research in various products. Testing, Verifying, Validating and Conducting inhouse Vulnerability Research. Again, how would Secunia assign a Cat4 absent Testing, Verifying, and Validating.
I see no reason to excuse Secunia based upon "the majority of reports are also tested ..."
How would a threat rate a Cat4 if it were not Tested, Verified and Validated.
How would a threat rate a Cat4 if Secunia has not reproduced the vulnerability, or even seen a believable demonstration of it.
This user either has to accept on faith and the past performance of Secunia that the validity of this Secunia reported threat is accurately reported or this user must call in to question all Secunia reporting.
I do not pay for Secunia reporting...so, I can not hold Secunia to my standards. All I have is my trust in and the past performance of Secunia.
If I paid for Secunia... I would expect them to make it clear whether they have Tested, Verified & Reproduced the Vulnerability, or even seen a believable demonstration of it.
RichardD & 0puns0r3s ... how is the Cat4 rating determined absent Testing, Verifying, and Validating.
Do I accept the accuracy for this Secunia reporting or Do I call into question all Secunia reporting.
Quandary,
bjm-

@ bjm-You've asked some very good questions and Secunia are the only ones who could give a proper answer:)...Regarding the Firefox vulnerability:

1. To put it very bluntly, we only have the hacker's words right now that "a vulnerability does exist". No other person has come forward saying that "there is a vulnerability"....

(unknown source)"I am unable to locate the info you post.."

Hover your mouse over the "Available in Customer Area" text next to the "Report Reliability" label, and read the tool-tip:

"Vulnerability reports may vary in reliability depending on the sources. Secunia always verify the reports and the majority of reports are also tested by Secunia staff. Based on the findings during the verification and testing we also determine a reliability rating. E.g. reports from Microsoft are considered trusted and will be used directly in a Secunia advisory, however, Secunia may still choose to conduct further technical analysis and enhance / update the advisory based on this analysis."

Pay particular attention to the second sentence:
"Secunia always verify the reports and the majority of reports are also tested ..."

In other words, they have verified that the report looks genuine, but have not necessarily tested or reproduced the alleged vulnerability.

I don't expect Secunia to remove a vulnerability report based on user complaints, but I would expect them to make it clear whether they have reproduced the vulnerability, or even seen a believable demonstration of it.

At the moment, FF3.6 is listed as insecure because one person has claimed to have a working exploit. No details or demonstration has been made available, so nobody has any way of knowing whether this is genuine or a hoax. Given that Firefox is open-source, I find it hard to believe that there is only one person devious enough to find this supposed bug!

Like Richard D, I find it very hard to believe that only one person has been able to find the vulnerability given the fact that Firefox's code is open source!

Here is a blog post by Sebastien Klipper and a response by Secunia's CSO Thomas Kristensen. Secunia are actually "admitting" that "This particular report is a bit special because of the lack of information available.". Plain English: We can't say for sure that such a vulnerability exists!:)

I've seen many sites taking this "vulnerability" stuff and create unnecessary mud slinging:(.....

It would be great if the Firefox team or rather the Firefox Security team would issue a statement of some kind reassuring their users. At the end of the day, it's bad press that kills a product.

My questions (please note that I'm not a software developer or anything like that:)..I'm just a web user):

1. Why can't Mozilla purchase the Vulndisco software package? I'm aware of the fact that the black hatter guy (Evgeny Legerov) could be using "blackmail" tactics to force everyone to buy his software.

2. Is this a "Windows-only" vulnerability or does it affect the Macintosh and Linux platforms also? I'm a Windows user who is pretty tech savvy:), but I would still like to know how this vulnerability would affect Windows.

The Mozilla Team already put out a note they were trying to get in touch with the alleged exploit finder with no success.

The problem with buying Vulndisco is that you set a precedent- if Mozilla did it, they would essentially be paying for exploit info. After caving once, how many people do you think would somehow package exploits for sale to Mozilla?

The first source link says XP SP3 and Vista, but there's no way to tell as no one has PoC code.

@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-

Description: Several products from the Mozilla Foundation such as its
popular web browser Firefox, internet suite SeaMonkey, and email client
Thunderbird, contain multiple vulnerabilities. The first issue is caused
by a memory corruption error in the browser engine and this might result
in arbitrary code execution. The second issue is a heap corruption error
in the Mozilla's Web Workers implementation caused by improper handling
of array data types while processing posted messages. The third issue
is a use-after-free error in HTML parser caused by incorrect freeing of
already used memory. The fourth issue is a same origin policy violation
caused by inadequate restriction of read access to object passed to
showModalDialog and can be triggered by a specially crafted
dialogArguments values. The fifth issue is caused by an error in the way
SVG documents, that are served with Content-Type:
application/octet-stream, are processed and eventually leading to
bypassing the same-origin policy. Full technical details for the
vulnerabilities are publicly available via source code analysis.

Description: Mozilla Firefox, an open source web-browser from the
Mozilla Application Suite, is the second most popular browser with a
24.43% usage share. It reportedly contains a flaw caused by unspecified
error and it can be exploited to execute arbitrary code. Technical
details for this vulnerability are not available publicly and there are
reportedly no public proof-of-concepts or exploits circulating in the
wild. There is reportedly a working commercial exploit from the
VulnDisco Pack.

@ coopa, bjm- and Dr Zen thanks for the info! We have learnt a lot at this thread!

(unknown source)@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-

Regarding the Opera Vulnerability, this is what I've learned so far....It was "disclosed" by (Marcin Ressel/Vupen Security) (source: http://www.theregister.co.uk/2010/03/05/opera_vuln...). Keyword here being "disclosed":).....In the case of Firefox, the Vulndisco guys have not "disclosed" the supposed "vulnerability".

Therefore, I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!

As a further update, here is the response I received from the Firefox Security Team:

(unknown source) Hi <my real name here!:)>,

I saw your comment on the blog post as well. I'm sorry, but there is simply no additional information that we have to share that isn't posted there. If and when we learn anything actionable, we will be sure to respond appropriately.

I'm posting his entire comments here since this page could also disappear from Google cache:

It seems that a lot of rabbits are speculating about Firefox module which has been released as a part of Vulndisco 9.0.

Honestly we see nothing special about this particular bug, as there are tremendous amount of bugs in every browser. If we were able to find 1 bug in Firefox, highly motivated organized hackers will find 10 bugs, 'security industry' is usually one step behind hackers...

We are not going to explain here why we are developing Vulndisco and how it can be used, but some points about ff module should be explained:

To sum up, as post to mozilla security blog suggests - 'keep browsing with Firefox with confidence'
Posted by Evgeny Legerov at Monday, March 01, 2010

If 1 + 1=2, then.......No proof of concept code, only one person/software module has reported this vulnerability, most of us are firefox users and we've seen nothing unusual, unnecessary FUD and publicity....Then there is nothing (much) to worry about:)....Of course, we do continue to be careful while browsing the web with any browser...That is understood.

Hello 0puns0r3 ~ coopa ~ Dr Zen ~ Anthony Wells,
We are at an impasse...? Yes/No?
1) The Secunia researchers verify all exploits before issuing advisories.
Emil R. Petersen
Secunia PSI Support
2) All known publicly reported vulnerabilities are Fixed in:
Firefox 3.6
Firefox 3.5.8
Firefox 3.0.18
Thunderbird 3.0.2
SeaMonkey 2.0.3
3) There is reportedly a working commercial exploit from the
VulnDisco Pack.
4) Secunia researchers verify all exploits before issuing advisories.
5) Technical details for this vulnerability are not available publicly and there are
reportedly no public proof-of-concepts or exploits circulating in the wild.
6) Secunia researchers verify all exploits before issuing advisories.
7) I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!
8) I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .
--------------------------------------------------
re > I run my browsers in a sandbox ("Sandboxie")
Sandboxie has limitations....
Sandboxie cannot always protect from exploits that only require the browser to be actionable. There are exploits that appear as normal browser activity and only require the browser to be actionable. Sandboxie is more effective with exploits that require a app outside the sandbox'd browser to be actionable.
-------------------------------------------------- ---
Impasse & Quandary
bjm-

P.S. to Dr Zen re > Workaround - disabling Java ?
I read:
Disable JavaScript until a version containing these fixes can be installed.
Java and JavaScripts are not the same animal. JavaScripts do not require Java.
~~Until a version containing these fixes can be installed~~
see item 2) All known publicly reported vulnerabilities are Fixed.
I run FF (all ver) with Java and Flash disabled all the time & of course with NoScripts (for JavaScript). I find very limited use for Java & I enable Flash player as required. As I am also Sandbox'd...all enabled revert to disabled upon dumping the sand. I do not allow access to the entire profile.
Cheers
bjm-

1) if there is no PoC and it's not in the wild , then we don't know if any specific counter measure is directly useful , in this case ;

2) why/how have SEcunia come up with a CAT 4 ; is it a "catch all" super cautious thing ?? ;

3) Will it encourage other hackers to hold people to ransom (so to speak) ??

Regarding "Sandboxie" , for sure nothing is 100% secure (that's why we are here:(( :) . I use it to great effect (for me , that is) as a part of my security set up to look to get "good" safety with ease of access to the surf .

Sandboxie clearly state that they update pretty regularly to cover known vulnerabilities , but at my level of use I am not clear what you mean by "actionable" apps in and out of the box and the problem therein .

If you have time , perhaps you could add some extra detail .

Take care
Anthony

PS: I am running Google Chrome (4.0.x stable) and it sits well alongside Firefox . It has it's own sandbox system and the latest versions also run happily in Sandboxie .

~ knowledgeable sandboxie users know how to tighten up the default sandboxie settings ~ some @ Secunia Forum may have been introduced to sandboxie via this thread....I did not want my posts to infer sandboxie is perfect. I always browse sandbox'd. But, if I happen on a rouge site...sandboxie will not protect me from myself. Posting this on a trusted site. There is a free exchange of data sandbox'd. If I were posting this on a rouge site. There would also be a free exchange of data.
-------------------------------------------------- -------------------
Thanks for the comments about Google Chrome ~ every time I think I'll try Chrome. I read about concerns over Google tracking and privacy. http://www.srware.net/en/software_srware_iron.php
-------------------------------------------------- ---------------------
just between us (no one else will read this)....do you feel Secunia has accurately reported FF 3.6 vulnerability..

Thank you for the clarification on sandboxes which I understand and at least I feel comfortable I am not missing anything .

You rightly emphasise the "read" possibility and all that entails and that using the FAQ and excellent Forum will help new users to tighten the bolts to make their paranoia squeak . I really am only looking in my case to stop exploits installing or downloading whilst my back is turned :((

As far as Google tracking is concerned , I feel that once you are surfing with any kind of speed or freedom you are anybody's and everybody's and your data is up for grabs to any bidder ; I don't get the impression Google are any better or worse . If you want to worry , think of what the Govt. or your Insurance Co knows about you and how "secure" that data is (not) .

I clean out Ff and Chrome most days with CCleaner after choosing (along with Browser settings) which site data I may want to keep for particular access or arrangement . At the end of the day there is not much left .

As to the handling of the Ff problem , just between you and me , then nobody comes out looking good . We are so used to trusting Secunia (as you have pointed out) and , in general , rightly so : but lets's face it , if you or I can make a mistake then so can anyone ; an unknown ranking rather than CAT 4 would be more understandable to me :)

@ all: Yes, we are at an impasse:)...Before we continue, I am not a hacker:) though I do pick up his posts from google or google cache.....I too hope that you guys are not hackers:).....Our final option: Start an online petition and send it Michelle Baker, the CEO of Mozilla.

@ bjm-Sandboxie is a good tool, but if you practice "safe browsing", there is no need for (more) paranoia:)......

1. Use noscript and disable javascript etc...and allow those for sites which you trust.

3. If you don't click on random popups or ads which say "your computer is infected. Click here to fix or perform a free scan", then another part of your problems vanish:)

My only primary concern: Online banking! For anything that requires you to use your online banking account, I think that for that alone, an alternative browser should be used (more paranoia!:)...However, I did use Firefox to pay my online phone bills and my banking account is intact:) (touchwood!)

Secunia: I still have a lot of respect for you guys and I'm also a user of your PSI tool, but if you do know about the "exploit", please clarify. Otherwise, there is seriously no point having a "CAT 4 rating". How different is your organization from that of the hackers?

If you do have the info, but are willing to share it with only customers who can "pay up", please mention it in the advisory. On the other hand, if you do not have the info, please say so.

Make it clear and do not hide behind fancy jargon. This smacks of irresponsibility and goes against the spirit of Open source software and the free web.

I really don't know whether this is reliable, but the thread at the Immunity forum seems to have been updated:

If it is true, then it seems that the bug occurs if Firefox tries to load a "malformed" PNG File. Quoting the response here:

I've tried it but it did not work good here. Just FireFox crashes, but the sample code (starting of %system_dir%\calc.exe as far as I understood) did not work... (WinXP SP3, FireFox 3.6) Probably just my tests were incorrect - I dont know, I've tried to contact support-team, but no answere. :(

Just some small infos: The bug occures when firefox tries to (specially? - did not test something else but the one example code) load a malformed PNG file; I do not know PNG format very well, so no further infos here.

Still, you can contact me about the code/PNGs. I'll just answere honest proposals (dont waste my time in any other case - transmutator42 at gmail dot com).

To Secunia Official
Please explain how Secunia assigns a Cat4 rating. What protocol is used.
I would better understand / trust the rating if I knew whence it came. How it is derived. What checks and balances are at play to ensure accurate vulnerability reporting & rating.
Please explain if Secunia has tested , verified , validated and/or reproduced the Mozilla Firefox Unspecified Code Execution Vulnerability.
--------------------------------------------------
Please clarify the new Relevancy Score system. What prompts > This reply has been minimized due to a negative Relevancy Score. How many thumbs down prompts a post minimization. Is Relevancy Scoring exclusively user based. May Secunia thumb up/down a post. May Secunia minimize a post for cause. So, if I just don't like a user for any reason... all I have to do to...is vote negative.
Very democratic ~ one negative; and any opinion, any contribution, any post is minimized.

@ Secunia: Some of us in this thread have been quite frank with our questions. We came here expecting some sort of reply from you guys. Sadly, we still have not got them.

We could not care much about the negative ratings we get! Heck, none of us trolled...we did our best and we still have not received any kind of answer.

@ all: It's been a pleasure interacting with you guys in this thread. Until we meet again elsewhere:). If there is some kind of update regarding this issue, do not hesitate to share it here. Bye for now.

Just a small piece of news for those interested. Firefox will have an update to the next version "3.6.2". Yes, there will be no 3.6.1. Probably by March 30th or so...So guess that will take a bit of worry from our minds. More details here:

For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

Hello Secunia
@ Secunia
A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.
The vulnerability is reported in version 3.6. Other versions may also be affected.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
@ Secunia
The Secunia researchers verify all exploits before issuing advisories.
Emil R. Petersen
Secunia PSI Support
-------------------------------------------------- ---------------
Since the Mozilla Firefox Unspecified Code Execution Vulnerability has not been updated then the advisory is considered accurate as is - or the posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
Q: How does this user know if the Mozilla Firefox Unspecified Code Execution Vulnerability advisory is accurate - Or - the posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
Q: How does this user reconcile - The Secunia researchers verify all exploits before issuing advisories. The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
-------------------------------------------------- -----
A) Secunia researchers presumably verified this exploit before issuing the advisory.
B) Secunia researchers presumably tested, verified and validated this exploit and may have conducted their own vulnerability research.
Or,
C) The posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
How does this user know if A, B or C is the scenario.
-------------------------------------------------- ----------------
Secunia asserts that Secunia researchers verify all exploits before issuing advisories.
Secunia asserts that Secunia may not have sufficient evidence to verify the exploit.
Fact: Mozilla Firefox Unspecified Code Execution Vulnerability advisory was issued.
Either Secunia verified the exploit before issuing the advisory - or - Secunia did not verify the exploit due to lack of sufficient evidence.
How does this user know if the exploit was verified or was not verified.
Simple question: How does the user know if the exploit was verified or was not verified.
Respectfully submitted,
bjm-

I can see reporting this when it came out, but the evidence is overwhelmingly against the existence of the vulnerability.
-No use in the wild
-No proof of concept
-The security researcher Evgeny Legerov has deleted his Twitter and blog (one of Secunia's sources, mind you)
-The Firefox team has tried to contact him
-He disclosed the alleged bug as part of a commercial exploit pack, the only 2 posts from customers say the bug does not work

It wasn't irresponsible to list this alleged vulnerability when it came out due to Evgeny Legerov's track record (milw0rm, etc.) but at this point...?

-------------------------------------------------- -----
A) Secunia researchers presumably verified this exploit before issuing the advisory.
B) Secunia researchers presumably tested, verified and validated this exploit and may have conducted their own vulnerability research.
Or,
C) The posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
How does this user know if A, B or C is the scenario.
-------------------------------------------------- ----------------
Secunia asserts that Secunia researchers verify all exploits before issuing advisories.
Secunia asserts that Secunia may not have sufficient evidence to verify the exploit.
Fact: Mozilla Firefox Unspecified Code Execution Vulnerability advisory was issued.
Either Secunia verified the exploit before issuing the advisory - or - Secunia did not verify the exploit due to lack of sufficient evidence.
How does this user know if the exploit was verified or was not verified.
Simple question: How does the user know if the exploit was verified or was not verified.
Respectfully submitted,
bjm-

Very well stated. Simple questions as yet not even remotely addressed....after what, 6 weeks??? 7??? The SILENCE is DEAFENING.....

Meanwhile, in the distance the conspicuous by his absence "black hatter" can be heard bellowing raucously...

1. The so-called vulnerability seems to be completely unconfirmed since the hacker reported it.

2. Secunia confirms all "vulnerabilities" and only then gives a rating.

3. This would mean that Secunia has knowledge on how the vulnerability would work. In other words, your organization can "demonstrate" on how this vulnerability would work.

4. If (that's a huge IF) the black hatter's software did detect a vulnerability for real in Firefox and he has sold it to interested groups, then we would hear reports of many Firefox browsers being "hacked" around the world. But so far, we've not heard of any such reports.

5. I'm still using Firefox as my primary browser for casual browsing and also paying my bills online. I've noticed nothing unusual like sudden unexpected crashes or unnecessary freezes. Then again, I also practice safe browsing.

6. Your PSI tool rating says "Insecure-no solution" for Firefox 3.6. Excuse me?
Have you taken the trouble to contact the Mozilla team and confirmed with them before giving such a status to Firefox?

Open message to all PSI users,
@Secunia
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.The above Secunia explanation is meaningless, useless double speak;If we (Secunia) don't update an advisory ....then the advisory accuracy is "as is" ...or,the advisory accuracy is "not as is".Clear as mud!
Oh! and also contradicts Secunia's mission statement.

(unknown source)For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

Thank you for uhhhh...clearing this up! (insert sarcasm emoticon here)

Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??

Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????

as a very raw rookie on this stuff, I may be posting inappropriately here, if so tell me.

I was walking out the door mid-afternoon, my Avira had started its daily scan. I was in a hurry so I just clicked to turn it off, but it beeped at me, it had found something. I should have written it down, (as I said I was in a hurry) but it said something about HTML and firefox. On Avira info it said the gremlin was originally identified in 2007, but something had been updated in Feb 2010.

Open message to all PSI users,
@Secunia
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.

on 12th Mar, 2010 13:18, Secunia Research wrote:
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.

Thank you for uhhhh...clearing this up! (insert sarcasm emoticon here)

Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??

Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????

Hmmm. Seems to be a lot of posts "minimized due to negative relevancy" on this thread. Go ahead and bury your heads in the sand if you wish, but I STRENUOUSLY disagree with the thumbs down "(Un) Reccing Crew".

I'll say it again for those who may have misinterpreted what I previously posted:

Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??

Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????

@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.

(unknown source)For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.

When we see relevant information....relevant information from who/what?Secunia inhouse specialists verify all reported vulnerabilities before the advisory release....that what Secunia mission statement asserts.

Secunia will only update the relevant advisory if / when Secunia see's relevant information.

@Pink Freud
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
IMO ~ NOSecunia will only update the relevant advisory if / when Secunia see's relevant information.
IMO ~ Since Secunia posted the advisory absent relevant information...why would Secunia consider looking for relevant information now?
Respectfully submitted
This reply will be minimized due to a negative Relevancy Score. I corrected Secunia spelling ~ minimised ~ ;-)

I have been watching this thread in keen anticipation of some useful and relevant resolve to this particular issue since the very beginning. I doubt if I can take it anymore.

So I logged in JUST TO ADD MY "THUMBS UP" to several posters who seem to care as much as I do regarding WHAT IS SECUNIA ACTUALLY UP TO with such juvenile and insulting responses to VERY VALID CONCERNS OF PSI USERS such as myself and others...you know who you are.

Unless this the substance of this thread is indicative of what we can come to expect in the future from Secunia - lazy, immaterial, irrevelant, indeed insulting addresses to serious inquiries - there is little here to make one believe that Secunia has given any thought to the integrity of its reputation regarding PSI.

Maybe it is PSI that is truly broken rather than Firefox.

For shame, Secunia...for shame!

"This post will be minimized due to whatever Secunia decides, relevant or not"

@ Forum
Secunia has posted their policy regarding the Forum. http://secunia.com/community/forum/thread/show/374...
-------------------------------
To any user expecting a response from Secunia... I sadly offer:
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.
The forum is considered the community's. You will, therefore, not necessarily see any responses nor comments from Secunia Official's.
This means that if a forum post disputes a Secunia Advisory and the advisory is not updated, usually within 1 business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
-----------------------------------
So, unless a user is able to post a dispute to a Secunia Advisory that contains sufficient evidence to prove, reproduce, or verify the users disputed claim. You will not see any responses nor comments from Secunia Official's.Once Secunia issues an Advisory. The Advisory stands....until and unless a user / anyone can prove to Secunia and satisfy Secunia that the Secunia issued Advisory is not accurate as is.

1. Mozilla did not consider this as a "vulnerability" since the hacker refused to disclose it. He claimed that anyone could "buy" the vulnerability from him.

2. Secunia have a good reputation with the Security Community. So why would they continue flagging this if they're not sure at all?

3. They report this "vulnerability" as "Mozilla Firefox Unspecified Code Execution Vulnerability". Basically, they're actually admitting that they have no idea about the "code execution" since they've used the word "unspecified"

4. However, they should have made it much more clearer in the advisory.

5. They should have contacted both Mozilla and the hacker and then come to a decision whether this vulnerability does exist or not!

6. Or they could have tested out this vulnerability if possible.

7. So who gains because of this so-called unproved vulnerability?:

a. Rival browsers like Internet Explorer, Opera, Safari, Chrome etc...There is already a lot of FUD like memory hogging, startup, etc..etc..spread about Firefox. This will only add more FUD:(. I did not expect Secunia to do this.

b. More FUD will (continue) to be spread over the internet. People will immediately point out to Firefox 3.6 and say "Mozilla never offered a patch for it. They failed" etc..etc..
(never mind the fact that nobody is sure of this vulnerability! No one would even bother to read this thread)

A lot of damage has already been done with this advisory, I imagine. Does Firefox have a damage control team? Something like SAS and Opera put in recently? That worked!

However, in security, silence is golden. This is not the same as security by obscurity.

We should assume that Evgeny Legerov is a Secunia insider. Then he himself could have done the verification.

Probably there is no Firefox vulnerability. That does not mean that there is not a problem now. Everybody has a problem if Secunia says there is. I think correcting a mistaken advisory is not easy, politicaly, if it means admitting an organisational flaw. An escape could be a new Firefox release. Because when there is no attention to an old advisory anymore, then changing it would hurt Secunia less.

Mozilla please bring out a dummy patch for this dummy vulnerability. Should not be too difficult. Weave it in with another fix.

Now is a very inconvenient moment for a problematic Firefox vulnerability (very convenient though for the competition).

Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here: https://ftp.mozilla.org/pub/mozilla.org/firefox/ni...

1. Black Hatter announces a "vulnerability" in the hopes that someone buys his software. He also threatens not to release the vulnerability.
2. All news sites and security sites publicize the story without any confirmation.
3. Mozilla refuses to "pay up".
4. The vulnerability does not seem to affect a lot of people and Mozilla goes ahead and announces that they will release 3.6.2 anyways.
5. Hacker realizes that he is being foolish and releases the code:)

Questions which will remain unanswered:

1. Why did the hacker take a sudden "u" turn and release the vulnerability?
2. Did Secunia have any knowledge of the exploit?
3. Was the whole thing supposed to be a publicity stunt for the hacker's "Vulndisco" software package?

I guess Mozilla will release the code exploit after the update. I'm also assuming that the exploit will work only with user interaction, i.e. clicking on an untrusted link or something like that?

Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ballhttp://blog.mozilla.com/security/

(unknown source)Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ballhttp://blog.mozilla.com/security/[/quote]

Computerworld - Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.

Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.

"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."

As John Lennon once sang: Strange Days, Indeed. Most peculiar Mama.

ETA: Thank you to those Secunia users who have posted on this "conundrum" --most notably bjm.

If my wife is watching, I'll be coming straight home after the meeting... and all this lawyer stuff has got me thinkin', maybe later tonight, if you present me with your briefs, I'll recommend a merger.

Cheers
bjm-
This posting will now be minimized due to......you know the rest.

EDIT: Let's be fair, folks. If Secunia had been more open about why the bug had been accepted and Mr. Legerov's track record, we would have had little reason to doubt them.

Giving my post a negative relevancy score - for acknowledging that they were right and expressing my belief that Secunia could have avoided ill will by clarifying the advisory sooner - seems like a sheerly vindictive move.

However, I think Secunia could take a couple lessons from this.
-Authors should get a page that shows any and all exploits they are credited with and how those exploits were assigned (e.x. were they verified via PoC? Acknowledgment from vendor? Based on trustworthiness of past exploits?)

-Secunia should publicly acknowledge the context on which an exploit was accepted on the exploit page itself.

This would have done a lot to make Secunia's vulnerability assessment/acceptance process a lot more transparent and would have fostered trust in both Secunia and Mr. Legerov.

In addition, the lack of public comment/acknowledgment did little to boost Secunia's credibility. Just explain what you did in the blog post you made today would have gone a long way in keeping peace.

Totally right man! I wonder how long it takes this lot to catch up and stop scaring naive people. I had 3.6.2 installed in it's beta version up until the recent release however my version (beta) had the issues in question resolved. That didn't seem to trickle through to the good people at Secunia. One wonders how long it takes for them to update their database and what other unfounded threat messages are emanating from this source. Get your act up to speed!

1. forcing SSL authentication has a) seemingly nothing to do with the vulnerabilities and b) breaks SSL websites for a significant number of people
2. the problem here is not firefox: ALL code has an unending number of vulnerabilities, and stating them openly only means that the Mozilla community is patching more vulnerabilities faster; it's not a blight, it's (sort of) a compliment.
3. Updating firefox to 3.6.2 is certainly a good idea, because of all the vulnerabilities (including others not mentioned here)
so why is everyone so mad?